Fake UPS malspam delivers two malicious packages

Malspam is a classic hacking technique that still proves successful, especially when the emails in question are made to look quite legitimate. The goal with malspam is to get, as the name infers, malware to infect a machine via spam email. Such is the case with a current malspam campaign that has been monitored by security professionals since late June. According to Brad Duncan, a researcher at SANS Institute, the malspam in question is posing as email from the United Parcel Service and contains a .zip folder with both NemucodAES ransomware and Kovter malware.

As Duncan writes in his report, “Malspam with zip archives containing JavaScript files are easy for most organizations to detect” but, for many organizations, “investigating blocked emails is pretty low on their list of priorities.” This is problematic as this particular malspam contains two rather powerful strains of malware.

The first of these, NemucodAES, is a ransomware that is written in JavaScript and PHP. It is able to, in addition to encrypting your files with TeslaCrypt (or other ransomware binaries), download other malware. This is the most up-to-date version of Nemucod ransomware strains, and while decryptors exist, the addition of another malware make this attack more complex as it assaults the machine in two ways, both on the machine level as well as the client-side level.

The second of the .zip download is an older malware called Kovter. It was known initially as a ransomware, but eventually was formatted to be a “click-fraud” malware. Basically this creates a situation in which a malicious script generates clicks for numerous websites (which are also malicious) for obvious monetary reasons. During the infection, a hacker can infiltrate and gain control of your machine. Even if the machine becomes decrypted and the ransomware is removed, you still have to deal with the reality that your computer has been used as a hub for click-fraud or worse. The amount of malicious traffic that will have flooded your machine by this point is significant.

Victims are baited to download the .zip file containing NemucodAES and Kovter as the email (shown below) claims the attachment is related to an undelivered package from UPS.

In actuality, the .zip file contains the following malicious code:

The victim is then met with the following message:

The strategy for preventing an infection from this malspam is two-fold. Firstly, Duncan states that “with proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected.” As such, one must educate themselves on the nature of malspam and how not to fall for download requests. If these two countermeasures are deployed, there is a chance that, as this campaign evolves, you can keep yourself and your network safe.

Photo credit: SANS Institute

Post Views: 1,380

Featured Links

Read Next

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Latest Podcast

Featured Freeware

Recommended

Follow Us

Fake UPS malspam delivers two malicious packages

TECHGENIX

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.